Eye Spy: Understanding Your Video Surveillance Technology Risks

George Orwell almost had it right: You are being watched. But it’s not just Big Brother that’s watching you. It’s your home security vendor, your employer, monitoring the front lobby, the security webcam at the parking ramp, your church nursery, your work computer, your phone.

On a macro and micro level, from fetal 4D ultrasounds to gravesite mapping American lives are being recorded as never before. Government entities, schools and colleges, public and private corporations and nonprofits are routinely relying on VS for safety and security reasons: as a crime deterrent; to protect proprietary methods and materials, and in short, to ferret out the bad guys.

Yet for all its benefits, VS technology poses some potentially devastating risks. With the typical velocity of our exploding Internet of Things, VS technology is outrunning our capacity to adequately grasp all the implications of its use and abuse; both to individual rights and to the greater society. Along with the increasingly common news of cyber hacks and attacks, we’ve all seen the rising tide of incidents involving real or perceived privacy or human rights violations tied to surveillance. Witness Samsung’s recent smart TV debacle; or community demands for the release of police video documentation after an officer-involved shooting.

But let’s say you own a company and just want to end the pilfering in the supply room. Your friend’s cousin can set you up with a CCTV and it’s only $100 a month. A no-brainer, right?

Before you set up that CCTV, the key thing to remember is that, while the fact of video surveillance alone doesn’t violate privacy, unauthorized access to it does.

But let’s say you did sign up with your friend’s cousin, without checking with Legal, or HR. Take a look at those surveillance files from last night. You may discover more than you bargained for: Illegal, illicit, or unsavory activity. You do know that if you become aware of a crime, you become part of that crime if you don’t report it, right? Yet who has access to the tape? You? The service provider? What if you turn over the data, but there’s other activity on the file that compromises someone’s privacy or damages their reputation?

This is not the time to call Legal and HR.

Instead, your VS technology program deserves the same proactive, interdisciplinary approach you’ve applied to your cyber resilience program, outlined in CIO Review’s June 2015 Cyber Security Issue. Bring in your team of Security, IT, HR, Legal, and Finance officers (and maybe others as appropriate), for a 360-degree perspective including answers to these questions:

• Does your VS procurement process account for Compliance, Legal and Financial Risks incurred when VS is implemented?
• Where does the VS Data go? How is it stored and managed? Who has access?
• What’s your VS disposal policy and process?

And, how secure is the VS software? The question of whether the software code has been compromised in a way that leaves it open to tampering is a real concern, say experts.

“Absolutely, it’s a problem, there are no guarantees on who will control the data and how well they control it,” says James Ryan, founder and principal of cyber security firm Litmus Logic. “The more advanced cyber attacks become, the more assurances firms should demand from their suppliers to verify that software and cloud systems are resilient to hacks, and that suppliers manage data and infrastructure with prudence and transparency,” Ryan said. Litmus Logic performs independent assurance services for software and services that have passed the most stringent tests, i.e. those of the Department of Defense and its suppliers.

While burgeoning technologies like VS provide us with more information than we’ve ever had, there’s still a lot to learn. Caveat Emptor: To the extent that we are poor consumers of technology, there will be unintended consequences.